-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flashloan fees are distributed unfairly #126
Comments
I believe this finding to be valid. However, I think this report is of informational severity. Because the report have not identified an attack vector unlike the other reports mentioning the potential of value leak out of the protocol by way of stealing fees. Such as my report: #136. Disclaimer: Reduction of severity of this report would benefit me. |
Dup of #136 |
GalloDaSballo marked the issue as satisfactory |
GalloDaSballo marked the issue as not a duplicate |
GalloDaSballo marked the issue as duplicate of #136 |
Lines of code
https://github.com/code-423n4/2022-10-traderjoe/blob/main/src/LBPair.sol#L420-L456
Vulnerability details
Impact
Flash loan fees are distributed only to the participants of active bin(and protocol). This is unfair. Liquidity providers do not earn when they liquidity is used by flashloan.
Proof of Concept
In
LBPair.flashLoan
function fees for the loan are distributed only to the pair's active bin. Only liquidity providers of this bin are paid for using their liquidity.When flash loaner takes a huge loan he uses the liquidity not only of active bin, but some other bins as well. All providers of this liquidity should be compensated.
I understand why this is done. Because if they will calculate all bins that should participate in fees distribution it will take more gas and flash loans will be expensive. However, i just want to point to the fact that such distribution is not correct.
Tools Used
VsCode
Recommended Mitigation Steps
Think about another flash loan fee distribution mechanism. Or distribute such fees only to protocol when the flashloan amount is more then active bin reserves.
The text was updated successfully, but these errors were encountered: